Applying a host profile that specifies an Active Directory domain to join causes a compliance failure.

Problem

When you apply a host profile that specifies an Active Directory domain to join, but you do not enable the activeDirectoryAll rule set in the firewall configuration, a compliance failure occurs. The vSphere Web Client displays the error message Failures against the host profile: Ruleset activedirectoryAll does not match the specification. The compliance failure also occurs when you apply a host profile to leave an Active Directory domain, but you do not disable the activeDirectoryAll rule set in the host profile.

Cause

Active Directory requires the activeDirectoryAll firewall rule set. You must enable the rule set in the firewall configuration. If you omit this setting, the system adds the necessary firewall rules when the host joins the domain, but the host will be noncompliant because of the mismatch in firewall rules. The host will also be noncompliant if you remove it from the domain without disabling the Active Directory rule set.

Solution

  1. Browse to the host profile in the vSphere Web Client.
    To find a host profile, click Policies and Profiles > Host Profiles on the vSphere Web Client Home page.
  2. Right-click the host profile and select Edit Settings.
  3. Click Next.
  4. Select Security and Services > Firewall Configuration > Firewall configuration > Ruleset Configuration.
  5. Ensure that activeDirectoryAll is selected.
  6. In the right panel, select the Flag indicating whether ruleset should be enabled check box.
    Deselect the check box if the host is leaving the domain.
  7. Click Next, and then click Finish to complete the change to the host profile.